Threat Intelligence Blog
Contact us to discuss any insights from our Blog, and how we can support you in a tailored threat intelligence report.
Black Arrow Cyber Threat Briefing 26 March 2021
Black Arrow Cyber Threat Briefing 26 March 2021: Cyber Warfare Will Grind Britain’s Economy To A Halt; $2 Billion Lost To BEC Scams In 2020; Ransomware Gangs Targets Firms With Cyber Insurance; Three Billion Phishing Emails Are Sent Every Day; $50 Million Ransomware For Computer Maker Acer; Office 365 Phishing Attack Targets Financial Execs; MS Exchange Hacking, Thousands Of Email Servers Still Compromised; Average Ransom Payment Surged 171% in 2020; Phishers’ Perfect Targets: Employees Getting Back To The Office; Nasty Malware Stealing Amazon, Facebook And Google Passwords
Welcome to this week’s Black Arrow Cyber Threat Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.
Top Cyber Stories of the Last Week
Cyber Warfare Will Grind Britain’s Economy To A Halt
The UK Integrated Security, Defence, Development and Foreign Policy Review was published this week, reflecting on current concerns and previously announced initiatives. The policy made it clear that emerging networks and technologies, such as electric vehicle charging points, provide an opportunity for adversaries to unbalance, paralyse or even defeat us, and a large scale attack on the UK could grind Britain’s economy to a halt.
https://www.telegraph.co.uk/technology/2021/03/22/cyber-warfare-will-grind-britains-economy-halt/
Almost $2 Billion Lost To BEC Scams In 2020
Losses emanating from Business Email Compromise (BEC) and Email Account Compromise (EAC) scams surpassed US$1.86 billion last year, which is more than the combined losses stemming from the next six costliest types of cyber crime. 19,000 reports of BEC/EAC scams last year, a decrease compared to the almost 24,000 incidents reported in 2019. The associated losses, however, increased by over US$90 million and accounted for 45 percent of the total losses (US$4.2 billion).
https://www.welivesecurity.com/2021/03/23/almost-2billion-lost-bec-scams-2020/
Ransomware Gang Says It Targets Firms Who Have Cyber Insurance
What I found particularly fascinating was a claim made by “Unknown” that the REvil gang specifically targets firms who have taken out insurance against ransomware attacks – presumably in the understandable belief that those corporate victims are more likely to pay up.
https://grahamcluley.com/ransomware-gang-says-it-targets-firms-with-cyber-insurance/
Three Billion Phishing Emails Are Sent Every Day
Cyber criminals are sending over three billion emails a day as part of phishing attacks designed to look like they come from trusted senders. By spoofing the sender identity used in the 'from' field in messages, cyber criminals attempt to lure potential victims into opening emails from names they trust. This could be the name of a trusted brand like a retailer or delivery company, or even, in more sophisticated attacks, the name of their CEO or a colleague.
Ransomware Gang Demands $50 Million From Computer Maker Acer
Acer has suffered a ransomware attack over the past weekend at the hands of the REvil ransomware gang, which is now demanding a whopping $50 million ransom payment to decrypt the company’s computers and not leak its data on the dark web. The attack has not disrupted production systems but only hit the company’s back-office network. The security breach was not deemed disruptive enough to prevent or delay the computer maker from announcing its Q4 2020 financial results on Wednesday.
https://therecord.media/ransomware-gang-demands-50-million-from-computer-maker-acer/
Office 365 Phishing Attack Targets Financial Execs
A new phishing scam is on the rise, targeting executives in the insurance and financial services industries to harvest their Microsoft 365 credentials and launch business email compromise (BEC) attacks. These new, sophisticated attacks are aimed at C-suite executives, their assistants, and financial departments, and can work around email security and Office 365 defences.
https://threatpost.com/office-365-phishing-attack-financial-execs/164925/
Microsoft Exchange Hacking: Thousands Of Email Servers Still Compromised – Ransomware Operators Still Piling In On Already Hacked Servers
Thousands of Microsoft Exchange servers are still compromised by hackers even after applying fixes. Owners of email servers that were compromised before Microsoft Corp. issued a patch nearly three weeks ago must take additional measures to remove the hackers from their networks. Microsoft has previously warned that patching will not evict a hacker who has already compromised a server.
Average Ransom Payment Surged 171% in 2020
The average ransomware payment soared by 171% year-on-year in 2020 as cyber crime gangs queued up to exploit the pandemic. The security vendor’s Unit 42 division compiled its Ransomware Threat Report 2021 from analysis of over 19,000 network sessions, 252 ransomware leak sites and 337 victim organizations.
https://www.infosecurity-magazine.com/news/average-ransom-payment-surged-171/
Phishers’ Perfect Targets: Employees Getting Back To The Office
Phishers have been exploiting people’s fear and curiosity regarding breakthroughs and general news related to the COVID-19 pandemic from the very start and will continue to do it for as long it affects out private and working lives. Cyber criminals continually exploit public interest in COVID-19 relief, vaccines, and variant news, spoofing the Centers for Disease Control (CDC), U.S. Internal Revenue Service (IRS), U.S. Department of Health and Human Services (HHS), World Health Organization (WHO), and other agencies and businesses.
https://www.helpnetsecurity.com/2021/03/22/phishers-employees/
Nasty Malware Stealing Amazon, Facebook And Google Passwords
A new piece of malware called CopperStealer is lurking in “cracked” software downloads available on pirated-content sites, and the malware can compromise your login info for Amazon, Apple, Facebook and Google, among other services. Notably, CopperStealer runs on the same basic principles as SilentFade, a pernicious piece of malware that ravaged Facebook accounts back in 2019.
https://www.tomsguide.com/news/cracked-software-copperstealer-malware
Threats
Ransomware
Phishing
9,000 Employees Targeted In Phishing Attack Against California Agency
Microsoft Warns Of Phishing Attacks Bypassing Email Gateways
Malware
Fraudsters Jump On Clubhouse Hype To Push Malicious Android App
Purple Fox Malware Evolves To Propagate Across Windows Machines
Nasty malware stealing Amazon, Facebook and Google passwords
IOT
Vulnerabilities
5G Network Slicing Vulnerability Leaves Enterprises Exposed To Cyber Attacks
Hackers Are Exploiting A Server Vulnerability With A Severity Of 9.8 Out Of 10
Openssl Fixes Severe Dos, Certificate Validation Vulnerabilities
Data Breaches
FatFace Tells Customers To Keep Its Data Breach ‘Strictly Private’
Energy giant Shell discloses data breach after Accellion hack
Organised Crime & Criminal Actors
OT, ICS, IIoT and SCADA
Nation State Actors
Privacy
As usual, contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.
Look out for our weekly ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.
You can also follow us on Facebook, Twitter and LinkedIn.
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Cyber Weekly Flash Briefing 26 June 2020: Covid changes infosec landscape, ransomware actors lurk post attack, hacker earns millions, rogue bank staff steal $3.2m, massive DDoS against European bank
Cyber Weekly Flash Briefing 26 June 2020: Covid changes infosec landscape, ransomware actors lurk post attack, hacker earns millions, rogue bank staff steal $3.2m, massive DDoS against European bank
If you’re pressed for time watch the 60 second quick fire video summary of the top Cyber and InfoSec stories from the last week:
Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.
Businesses believe the pandemic will change the security landscape forever
After Covid-19, nothing will ever be the same again, at least in terms of how businesses approach cyber security. This is according to a new report based on a poll of 6,700 infosec professionals around the world.
The report states that 81 percent expect long-term changes to the way their business operates, mostly because of remote working.
With this in mind, examining how remote employees approach cyber security will become paramount if an organisation is to maintain a strong security posture.
A third of respondents said they worry employees may feel more relaxed about cyber security than when they are working out of the office. Employees may also be less likely to follow protocol at home, particularly when it comes to identifying and flagging suspicious activity.
Further, almost a third (31 percent) fear employees might unintentionally leak sensitive data or fall prey to a phishing scam and a quarter are afraid staff might fall victim to malware attacks.
Of the largest risks associated with remote working, respondents singled out “using untrusted networks” as the most significant. Other people accessing employees' company devices, the use of personal messaging services for work, and the unintentional sharing of company data are also high on the list of risks.
Ransomware operators lurk on your network after their attack
When a company suffers a ransomware attack, many victims feel that the attackers quickly deploy the ransomware and leave so they won't get caught. Unfortunately, the reality is much different as threat actors are not so quick to give up a resource that they worked so hard to control.
Instead, ransomware attacks are conducted over time, ranging from a day to even a month, starting with a ransomware operator breaching a network.
This breach is through exposed remote desktop services, vulnerabilities in VPN software, or via remote access given by malware such as TrickBot, Dridex, and QakBot.
Once they gain access, they use tools such as Mimikatz, PowerShell Empire, PSExec, and others to gather login credentials and spread laterally throughout the network.
As they gain access to computers on the network, they use these credentials to steal unencrypted files from backup devices and servers before deploying the ransomware attack.
Once the ransomware is deployed, many victims believe that while their network is still compromised, they think the ransomware operators are now gone from the system.
This belief is far from the truth, as illustrated by a recent attack by the Maze Ransomware operators.
Read the full article here: https://www.bleepingcomputer.com/news/security/ransomware-operators-lurk-on-your-network-after-their-attack/
Prolific Hacker Made Millions Selling Network Access
A notorious Russian cyber-criminal made over $1.5m in just the past three years selling access to corporate networks around the world, according to a new report.
The study profiles the work of “Fxmsp” on underground forums where he published his first ad selling access to business networks in 2017.
Over the following years he would compromise banks, hotels, utilities, retailers, tech companies and organisations in many more verticals.
In just three years he claimed to have compromised over 130 targets in 44 countries, including four Fortune 500 firms. Some 9% of his victims were governments.
The report calculated the $1.5m figure purely from publicised sales, although 20% of those Fxmsp compromised were made through private sales, meaning the hacker’s trawl is likely to be even bigger.
Fxmsp even hired a sales manager in early 2018.
Read more here: https://www.infosecurity-magazine.com/news/infamous-hacker-millions-selling/
Rogue Postbank employees steal master encryption key; make off with $3.2 million
South Africa's Postbank has been forced to replace 12 million bank cards after a calamitous security breach that saw the bank's master encryption key printed off in plain, unencrypted language.
According to internal documents acquired by the Sunday Times of South Africa, the 36-digit code security key “allows anyone who has it to gain unfettered access to the bank’s systems, and allows them to read and rewrite account balances, and change information and data on any of the bank’s 12-million cards".
The master key was apparently printed out on plain paper in a data centre in Pretoria in 2018, enabling the fraudsters to make over 25,000 fraudulent transactions, mostly from cards used by people receiving social benefits from the government.
The crime, which is being pinned on a number of rogue bank employees, went unnoticed for months. More than $3.2 million was stolen in the raid.
The cost to the bank of replacing all the compromised cards is expected to reach $58 million.
Read more here: https://www.finextra.com/newsarticle/36059/rogue-postbank-employees-steal-master-encryption-key-make-off-with-32-million
Massive Distributed Denial of Service (DDoS) attack launched against European bank
This week, security firm Akamai mitigated what it claims to be the “largest ever packet per second (pps) DDoS attack”, launched against an unnamed European bank.
The attack reportedly generated 809 million packets per second (Mpps) - a new high for pps-focused attacks, and well over double the size of the previous record attack identified by the Akamai platform.
What also makes this DDoS attack unique is the “massive increase” in the quantity of source IP addresses observed. During the attack, Akamai identified more than 600 times average number of source IP addresses per minute, suggesting the attack was highly distributed in nature.
Further, most of the traffic came from previously unknown IP addresses (96.2 percent), which could indicate the assault was driven by an emerging botnet. Given that most of the source IP addresses could be identified within large ISPs via AS lookups, Akamai believes most of the devices used were compromised end user machines.
The speed at which the attack reached its peak was also remarkable. The company claims it grew from normal traffic levels to 418 Gbps in seconds, and took roughly two minutes to hit 809 Mpps. The attack lasted for a total of 10 minutes and was fully mitigated.
Read more here: https://www.itproportal.com/news/massive-ddos-attack-launched-against-european-bank/
'Unstoppable' Malware Uses Bitcoin To Retrieve Secret Messages - Report
Glupteba, a sneaky malware that can be controlled from afar includes a range of components to cover its tracks, and it updates itself using encrypted messages hidden in the Bitcoin blockchain.
The Glupteba bot is a malware campaign that creates backdoors with full access to contaminated devices, which are added to its growing botnet. The analysis describes it as a “highly self-defending malware” with “enhancing features that enable the malware to evade detection.”
The most interesting aspect of Glupteba is that it uses the Bitcoin blockchain as a communication channel for receiving updated configuration information, given that bitcoin transactions can also include a comment of up to 80 characters.
Glupteba uses this messaging space for encrypted messages. These messages contain secrets, such as command-and-control server names, thus cleverly hiding them in the public blockchain - in plane sight.
Read more: https://cryptonews.com/news/unstoppable-malware-uses-bitcoin-to-retrieve-secret-messages-6947.htm
Woman who deliberately deleted firm’s Dropbox is sentenced
58-year-old Danielle Bulley may not look like your typical cyber criminal, but the act of revenge she committed against a company had just as much impact as a conventional hacker breaking into a business’s servers and causing havoc.
Bulley has been successfully prosecuted under the UK’s Computer Misuse Act after deleting thousands of important files from a company that went on to collapse.
She was a director of a business called Property Press that produced a weekly property newspaper focused on south east Devon. Things turned sour, and Bulley resigned her position at the firm in 2018 before the company went into liquidation. However, fellow director Alan Marriott started a new business venture – without Bulley’s involvement – using the assets of the old firm.
Things clearly didn’t sit well with Bulley after her departure from the business, and several months after her resignation she managed to gain unauthorised access to the new company’s Dropbox account.
More than 5,000 documents were permanently erased, and the company claimed that the damage to business was so great that it could no longer operate, with people losing their jobs and a loss of almost £100,000.
The Police warned other companies of the threat which can be posed by former employees:
Ex-employees can pose a serious risk to a business because they are familiar with the company’s IT infrastructure and procedures. This can make it easier for them to carry out cyber crimes against their former organisation.
If someone is leaving your company, especially if they are quitting your firm under something of a cloud, you would be wise to check that they don’t know your business’s passwords or have retained access to sensitive information.
Passwords should be changed, and additional authentication methods should be in place to prevent unauthorised access. Dropbox, for instance, provides a two-step verification feature which all users would be wise to enable.
EasyJet Lawsuit Over Data Breach Attracts 10,000 Passengers
EasyJet Plc faces a lawsuit over a data breach disclosed last month that potentially exposed private details of 9 million passengers.
More than 10,000 people have joined the suit since it was filed last month, according to the law firm handling the lawsuit. Victims are entitled to as much as £2,000 in compensation, meaning the case could be worth as much as £18 billion.
EasyJet said last month that the email addresses and travel data of about 9 million customers were taken by hackers in one of the biggest privacy breaches to hit the airline industry. The credit card details of roughly 2,200 people was also accessed.
“This is a monumental data breach and a terrible failure of responsibility that has a serious impact on EasyJet’s customers, who are coming forward in their thousands,” the law firm said in a statement. “This is personal information that we trust companies with, and customers should expect that every effort is made to protect their privacy.”
Read more here: https://www.bloomberg.com/news/articles/2020-06-24/easyjet-lawsuit-over-data-breach-attracts-10-000-passengers
Twitter apologises for business data breach
Twitter has emailed its business clients to tell them that personal information may have been compromised.
Unbeknownst to users, billing information of some clients was stored in the browser's cache, it said.
In an email to its clients, Twitter said it was "possible" others could have accessed personal information.
The personal data includes email addresses, phone numbers and the last four digits of clients' credit card numbers.
The tech company says that there is no evidence that clients' billing information was compromised.
Read more here: https://www.bbc.co.uk/news/technology-53150157
Huge Data Dump of Police Files Dubbed “Blue Leaks” Leaked Online
Nearly 270 gigabytes worth of sensitive files including FBI, “fusion center” and police department data from across the US dubbed “Blue Leaks” has been stolen and leaked online on June 19 by a collective called DDoSecrets.
Fusion centres are hubs for threat and intelligence sharing. The concept was created after September 11, in a bid by the Department of Homeland Security to improve cooperation between state, local, and territorial law enforcement
The National Fusion Centre Association (NFCA) says that the data was taken after a security breach at web development firm Netsential in Houston, Texas. It includes 490 documents pertaining to the UK. Computer Business Review was not immediately able to open these to assess the contents.
DDoSecrets stated that the Blue Leaks archive spans “ten years of data from over 200 police departments, fusion centres and other law enforcement training and support resources […] among the hundreds of thousands of documents are police and FBI reports, bulletins, guides and more”.
Read more here: https://www.cbronline.com/news/blue-leaks-data-dump